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Amendments to the Claims a 

This listing of claims will re^ce all prior versions, and 
listings, of claims in the application: 

Listing of Claims s 



^ 1-127. (Cancelled) 

i 

1^8. (Currently Amended) A user authentication method for a 
communication network having a plurality of nodes, the method 
comprising: 

entering on a first node first user identification 
information; 

transmitting to an authentication agent on a second node 
communicating with the first node over a LAN link the first user 
identification information; 

relaying from the authentication agent to an authentication 
server the first user identification information- 
comparing on the authentication server the first user 
identification information with user identification information 
in a database of user identification information; and 

transmitting from the authentication server to the 
authentication agent, if the first user identification 
information matches user identification information in the 
database of user identification information, notification 
information notifying the authentication agent that a user on 
the first node has been authenticated whereupon the 
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authentication agent authorizes transmission on the second node 
of packets in data flows involving the first node, wherein the 
first user identification information is transmitted to the 
authentication agent as part of a MAC-based authentication flow 
between an authentication client on the first node and the 
authentication agent. 

ip& - (Previously Presented) The method of claim 3^2^ 
further comprising relaying from the authentication agent to the 
authentication client as part of the MAC-based authentication 
flow the notification information. 

6- i 

X^rff^ (Previously Presented) The method of claim l^fl, 
further comprising, prior to transmitting the first user 
identification information to the authentication agent, 
transmitting from the authentication client to the 
authentication agent as part of the MAC-based authentication 
flow a recjuest to establish an authentication session. 

4- i 

1^2^ (Previously Presented) The method of claim 1^8^ 
further comprising transmitting from the authentication client 
to the authentication agent as part of the MAC-based 
authentication flow a logoff request, whereupon the 
authentication agent revokes the authorization. 

6- / 

l/2. (Currently Amended) The method of claim Y?&, further 
comprising transmitting from the authentication server to the 
authentication agent, if the first user identification 
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information does not match user identification information in 
the database, second notification information notifying the 
authentication agent that the user on the first node has failed 
to become authenticated, whereupon the authentication agent 
fails to authorize transmission on the second node of packets in 
data flows involving the first node and relays to the 
authentication client as part of the MAC-based authentication 
flow the second notification information. 

k- £ 

1}T6. (Previously Presented) The method of claim Jr3*Z7 
wherein if the authentication agent determines that the user has 
made a predetermined number of failed authentication attempts, 
the authentication agent transmits to the authentication client 
as part of the MAC-based authentication flow information 
notifying the authentication client that further authentication 
attempts will be inhibited. 

/ 

(Previously Presented) The method of claim 
wherein the packets transmitted pursuant to the authorization 
are neither encrypted nor decrypted by the second node* 



*3^lf^ (Previously Presented) A user authentication method 
for a communication network having a plurality of nodes, the 
method comprising; 

entering on a first node first user identification 
information; 
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transmitting to an authentication agent on a second node 
communicating with the first node over a LAN link the first user 
identification information; 

relaying from the authentication agent to an authentication 
server the first user identification information; 

comparing on the authentication server the first user 
identification information with user identification information 
in a database of user identification information; and 

transmitting from the authentication server to the 
authentication agent, if the first user identification 
information matches user identification information in the 
database of user identification information, information 
notifying the authentication agent that a user on the first node 
has been authenticated whereupon the authentication agent 
authorizes transmission on the second node of packets in data 
flows involving the first node, wherein the authorization 
comprises authorizing an interface to the LAN link to allow 
packets in data flows. 



?• 

1^6. {Previously Presented) The method of claim \y^ t 
wherein the interface is on the second node. 

$ % 

\yi . (Previously Presented) The method of claim 1^5, 
wherein the LAN link is an Ethernet link. 

h I 

l^S. (Previously Presented) The method of claim 136, 
wherein the authentication server is a RADIUS server. 
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13#. (Previously Presented) The method of claim 135, 
wherein the authentication server is on a third node. 

15. 

1^6* (Previously Presented) The method of claim 1^, 
wherein prior to the authorization, the second node drops all 
packets received from the first node that are not part of an 
authentication flow. 

& I 

Ipl* (Previously Presented) The method of claim 13£, 
wherein prior to the authorization, the second node drops all 
packets received from the first node that are not addressed to 
the authentication agent. 

0- 

(Currently Amended) A user authentication method for a 
communication network having a plurality of nodes, the method 
comprising: 

entering on a first node first user identification 
information ; 

transmitting to an authentication agent on a second node 
communicating with the first node over a LAM link the first user 
identification information; 

relaying from the authentication agent to an authentication 
server the first user identification information; 

comparing on the authentication server the first user 
identification information with user identification information 
in a database of user identification information; and 

transmitting from the authentication server to the 
authentication agent, if the first user identification 
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information matches user identification information in the 
database of user identification information, notification 
information notifying the authentication agent that a user on 
the first node has been authenticated whereupon the 
authentication agent authorizes transmission on the second node 
of packets in data flows involving the first node and one or 
/ more nodes reachable by the first node via the second node and 

relays to the first node the notification information. 

t L 5 

1^3. (Previously Presented) The method of claim 142, 
wherein prior to the authorization, the second node inhibits 
transmission to any nodes reachable by the first node via the 
second node of all packets received from the first node that are 
not part of an authentication flow. 

>B 

IfZ- (Previously Presented) The method of claim 
wherein prior to the authorization, the second node inhibits 
transmission to any nodes reachable by the first node via the 
second node of all packets received from the first node that are 
not addressed to the authentication agent. 

l£ 5 . (Previously Presented) The method of claim 142, 
further comprising, prior to transmitting the first user 
identification information to the authentication agent, 
transmitting from the first node to the authentication agent a 
request to establish an authentication session. 
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(Previously Presented) The method of claim 1^ 
further comprising transmitting from the first node to the 
authentication agent a logoff request, whereupon the 
authentication agent revokes the authorization. 

(Currently Amended) The method of claim 1&2. further 
comprising transmitting from the authentication server to the 
authentication agent, if the first user identification 
information does not match user identification information in 
the database, second notification information notifying the 
authentication agent that the user on the first node has failed 
to become authenticated, whereupon the authentication agent 
fails to authorize transmission on the second node of packets in 
data flows involving the first node and any nodes reachable by 
the first node via the second node and relays to the first node 
the second notification information. 

Ad 

148. (Previously Presented) The method of claim 
wherein upon receipt of the second notification information, the 
authentication agent determines the number of failed 
authentication attempts made by the user. 




145. (Previously Presented) The user authentication method 
of claim 1*^^^ wherein if the authentication agent determines 
that the user has made a predetermined number of failed 
authentication attempts, the authentication agent inhibits 
further authentication attempts . 
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{Fr Wj iOUGly Presented ) The user authentication method 
of claim pk€\ wherein if the authentication agent determines 
that the user has made a predetermined number of failed 
authentication attempts, the authentication agent transmits to 
the first node information notifying the first node that further 
authentication attempts will be inhibited. 



>5-rT* (Previously Presented) A user authentication method 
for a communication network having a plurality of nodes, the 
method comprising: 

entering on a first node first user identification 
information; 

transmitting to an authentication agent on a second node 
communicating with the first node over a LAN link the first user 
identification information; 

relaying from the authentication agent to an authentication 
server the first user identification information; 

comparing on the authentication server the first user 
identification information with user identification information 
in a database of user identification information; and 

transmitting from the authentication server to the 
authentication agent, if the first user identification 
information matches user identification information in the 
database of user identification information, . information 
notifying the authentication agent that a user on the first node 
has been authenticated whereupon the authentication agent 
authorizes transmission on the second node of packets in data 
flows involving the first node, wherein the packets that are 
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transmitted pursuant to the authorization bypass the 
authentication agent. 



lyl. (Previously Presented) A user authentication method 
for a communication network having a plurality of nodes, the 
method comprising: 



entering on a first node first user identification 
information; 



transmitting to an authentication agent on a second node 
communicating with the first node over a LAN link the first user 
identification informations- 
relaying from the authentication agent to an authentication 
server the first user identification information; 

comparing on the authentication server the first user 
identification information with user identification information 
in a database of user identification information; and 

transmitting from the authentication server to the 
authentication agent, if the first user identification 
information matches user identification information in the 
database of user identification information, information 
notifying the authentication agent that a user on the first node 
has been authenticated and information identifying a VLAN for 
which the user has been authenticated whereupon the 
authentication agent authorizes transmission on the second node 
of packets in data flows that involve the first node and are 
within the VLAN. 
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1*33. (Currently Amended) The method of claim 152, wherein 
the information notifying the authentication agent that the user 
on the first node has been authenticated and the information 
identifying the VLAN for which the user has been authenticated 
are transmitted from the authentication server to the 
authentication agent in [the same] a single packet. 

i 1 ' *? 

154. (Previously Presented) The method of claim 152, 
wherein one or more of the packets that are transmitted pursuant 
to the authorization are appended on the second node and 
transmitted from the second node to a backbone network with an 
identifier of the VLAN. 

f 

(Previously Presented) The method of claim 15£, 
further comprising dropping on the second node of packets in 
data flows involving the first node and other nodes that are not 
within the VLAN - 




l/e. (] 




[Previously Presented) The method of claim 1J 
further comprising, before the authorization, dropping on the 
second node of packets in data flows involving the first node. 





15r? . (Previously Presented) The method of claim L5 2 , 
further comprising, after the authorization, forwarding on the 
second node of packets in data flows involving the first node 
and other nodes that are within the VLAN. 



—ii- 



PAGE 15/21 * RCVD AT 5/4/2004 5:09:45 PM [Eastern Daylight Time] * SVR:USPT0€FXRF-1/2 * DNIS:8729306 * CSID:626 577 8800 * DURATION (mm-ss):05-16 



/ • 

7^800 CHRISTIE PARKER 4 



05/04/2004 14:12 FA2 626 577^800 CHRISTIE PARKER 4 @1016 




Appln No. 09/886,930 
Amdt date March 30, 2 004 

Reply to Office action of December 30, 2003 

1J58. (Previously Presented) The method of claim JJStf', 
wherein the first user identification information is transmitted 
from the first node to the authentication agent as part of a 
MAC-based authentication flow between an authentication client 
on the first node and the authentication agent. 

15^. (Previously Presented) The method of claim 152, 
wherein the authorization comprises authorizing an interface to 
the LAN link to allow packets in data flows . 

)£rtf^ {Previously Presented) The method of claim 1^2 , 
wherein the packets that are transmitted pursuant to the 
authorization bypass the authentication agent. 
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